lib/libxslt
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxslt synced 2025-08-08 21:42:07 +03:00
Code Activity

Backup context node in exsltFuncFunctionFunction

Browse Source 
exsltFuncFunctionFunction handles XPath extension functions and is called
from the XPath engine. Since evaluation of function templates can change
the XPath context node, it must be backed up to avoid corruption.

Without proper backup, evaluating certain content in function templates
could also result in use-after-free errors.

It seems that libxml2 commit 029d0e96 helped to expose the error.

Fixes #11.
This commit is contained in:
Nick Wellnhofer
2019-02-12 01:52:31 +01:00
parent 99eb3e4358
commit 45d1d8597e
4 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libexslt/functions.c
View File

@@ -291,7 +291,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
xmlXPathObjectPtr oldResult, ret; xmlXPathObjectPtr oldResult, ret;
exsltFuncData *data; exsltFuncData *data;
exsltFuncFunctionData *func; exsltFuncFunctionData *func;
xmlNodePtr paramNode, oldInsert, fake; xmlNodePtr paramNode, oldInsert, oldXPNode, fake;
int oldBase; int oldBase;
void *oldCtxtVar; void *oldCtxtVar;
xsltStackElemPtr params = NULL, param; xsltStackElemPtr params = NULL, param;
@@ -360,6 +360,9 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
} }
tctxt->depth++; tctxt->depth++;
/* Evaluating templates can change the XPath context node. */
oldXPNode = tctxt->xpathCtxt->node;
/* /*
* We have a problem with the evaluation of function parameters. * We have a problem with the evaluation of function parameters.
* The original library code did not evaluate XPath expressions until * The original library code did not evaluate XPath expressions until
@@ -446,6 +449,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
data->ctxtVar = oldCtxtVar; data->ctxtVar = oldCtxtVar;
if (params != NULL) if (params != NULL)
xsltFreeStackElemList(params); xsltFreeStackElemList(params);
tctxt->xpathCtxt->node = oldXPNode;
if (data->error != 0) if (data->error != 0)
goto error; goto error;

1
tests/docs/bug-216.xml Normal file
View File

@@ -0,0 +1 @@
<top xmlns:ns1="abc"/>

2
tests/general/bug-216.out Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0"?>
10

11
tests/general/bug-216.xsl Normal file
View File

@@ -0,0 +1,11 @@
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:func="http://exslt.org/functions" version="1.0" extension-element-prefixes="func">
<func:function name="func:f">
<xsl:for-each select="namespace::*">
<xsl:sort/>
</xsl:for-each>
<func:result>10</func:result>
</func:function>
<xsl:template match="*">
<xsl:value-of select="func:f()+count(abc)"/>
</xsl:template>
</xsl:stylesheet>